The Cisco CTL client software, available as a plug-in application on Cisco CallManager Administration, is used to create or update the Certificate Trust List (CTL). The CTL is a list of the trusted certificates in the CallManager cluster. When the list is accurate, the Cisco CTL client will ensure that the CTL is signed by the keys of the Cisco CTL client. These keys are stored on an external Universal Serial Bus (USB) devicethe security token. When the CTL needs to be signed, the Cisco CTL client passes the CTL to the security token, and the security token signs it and then returns the signed CTL to the Cisco CTL client application. The Cisco CTL client is needed in these situations:
In all the situations listed, the Cisco CTL client creates a new CTL and signs it by using a security token. The Cisco IP Phones load the new CTL and are then aware of the changes to the IP telephony system. Any changes that are not reflected in the CTL (for instance, if you change the IP address of a server but do not create a new CTL using the Cisco CTL client application) cause the Cisco IP Phones to treat the corresponding device as untrusted. From this perspective, the CTL can be seen as the certificate root store of your browser (listing all trusted certificate-issuing entities). If any device that was previously trusted is not trustworthy anymore (for instance, when a security token is lost), there is no need for a certificate revocation list (CRL). Instead, you will use the Cisco CTL client and update the CRL by removing the untrusted entry (for instance, a lost security token) from the list.
Installing the CTL Client
The Cisco CTL client application can be installed on any PC running Microsoft Windows 2000 or XP Workstation or Microsoft Windows 2000 or 2003 Server, as long as the PC has at least one Universal Serial Bus (USB) port. This device can be any Cisco CallManager server in your cluster or any client PC.
The Cisco CTL client application is installed from the Cisco CallManager Administration Install Plugins window. You can accomplish the installation just by walking through a simple wizard, as shown in Figure 27-2. During installation, you are prompted for the destination folder; you can set any directory of your choice or simply accept the default.
Figure 27-2. Installing the CTL Client
The Smart Card service has to be activated on the PC. To activate the Smart Card service under Microsoft Windows 2000, choose Start > Settings > Control Panel > Administrative Tools > Services to launch the Microsoft services administration tool. Then use the tool to verify the status of the Smart Card service. The service should have the startup type of Automatic and the Current Status should be Running.
After you have installed the CTL Client, you can access it from the icon automatically placed on your desktop. Initially, it will ask for the CallManager server information for the cluster, as shown in Figure 27-3.
Figure 27-3. Configuring the CTL Client
After entering the CallManager server information and successfully authenticating, you can either set the cluster security mode or update the CTL file. A Cisco CallManager cluster supports two security modes:
There is no secure-only mode. This setting would prevent Cisco IP Phones without security enabled from placing calls. Many Cisco IP Phones do not support security features and would not be able to operate in a secure-only environment.
In addition to setting the cluster security mode, you use the Cisco CTL client to update the CTL file. This update is needed after adding or removing components, such as servers or security tokens. After changing the list of CTL entries, you need to sign the new CTL using a security token.
Working with Locally Significant Certificates
Part I: Cisco CallManager Fundamentals
Introduction to Cisco Unified Communications and Cisco Unified CallManager
Cisco Unified CallManager Clustering and Deployment Options
Cisco Unified CallManager Installation and Upgrades
Part II: IPT Devices and Users
Cisco IP Phones and Other User Devices
Configuring Cisco Unified CallManager to Support IP Phones
Cisco IP Telephony Users
Cisco Bulk Administration Tool
Part III: IPT Network Integration and Route Plan
Cisco Catalyst Switches
Configuring Cisco Gateways and Trunks
Cisco Unified CallManager Route Plan Basics
Cisco Unified CallManager Advanced Route Plans
Configuring Hunt Groups and Call Coverage
Implementing Telephony Call Restrictions and Control
Implementing Multiple-Site Deployments
Part IV: VoIP Features
Configuring User Features, Part 1
Configuring User Features, Part 2
Configuring Cisco Unified CallManager Attendant Console
Configuring Cisco IP Manager Assistant
Part V: IPT Security
Securing the Windows Operating System
Securing Cisco Unified CallManager Administration
Preventing Toll Fraud
Hardening the IP Phone
Understanding Cryptographic Fundamentals
Understanding the Public Key Infrastructure
Understanding Cisco IP Telephony Authentication and Encryption Fundamentals
Configuring Cisco IP Telephony Authentication and Encryption
Part VI: IP Video
Introducing IP Video Telephony
Configuring Cisco VT Advantage
Part VII: IPT Management
Introducing Database Tools and Cisco Unified CallManager Serviceability
Configuring Alarms and Traces
Using Additional Management and Monitoring Tools
Part VIII: Appendix
Appendix A. Answers to Review Questions